Audits

Should All Audit Findings be Accepted the Same Way?  (Published: 13 February 2026)

In my dealings with the management and Boards of different big and small companies in various industries, I found two very common distinct types of responses towards findings raised by auditors on organisations:

Response Type #1: Audit findings are welcomed and accepted as helping the organisation address any weaknesses and improve operations. All recommendations for improvements are accepted and corrective actions implemented as soon as possible.

Response Type #2: Audit findings are not welcomed and accepted and viewed as a negative against the performance of management. Efforts are made to robustly “discuss and agree” with the auditors to avoid the reporting of any findings. Corrective actions on recommendations of any accepted audit findings are implemented depending on availability of resources and management priorities.

What is your organisation’s response type?

Which is the correct response type?

Not all audit findings are equal. Similarly the response to the audit findings should also not be the same. Organisations operating with an established industry standard risk management framework and clearly defined risk appetite will be able to respond appropriately to individual audit findings raised. If audit findings indicate risks that are within the established risk appetite, the organisation will have more time to address these findings. However, audit findings that exceed the risk appetite will require immediate or more urgent attention and action.

It is important that an organisation does not over or under react to every audit finding raised. Rather, each audit finding should be assessed against the organisations risk management framework criteria, particularly against the organisation’s defined risk appetite. The level and treatment of the risk will dictate the escalation and reporting of the risk raised up the management chain to the Board.

Effective risk management helps to align audit findings with risk appetite. This alignment will ensure that resources in management time and staff, are allocated efficiently which then translates to the organisation focussing on risks that truly threaten its objectives.